CLAIMS 

What is claimed is: 

1. In a directory server, a system capable of interacting with entries 
5 organized in a tree structure, each entry having attributes, the attributes 

comprising real attributes each having a value stored in the entry, the system 
comprising: 

a mechanism capable of associating a virtual attribute to an entry subject 
to a virtual attribute condition being verified, the virtual attribute condition being 
10 derived from data located elsewhere in the tree structure; and 

a resolving function capable of receiving a first filter expression based on 
a virtual attribute, the resolving function for converting the first filter expression 
into one or more second filter expressions comprising real attributes and 
computed from the first filter expression and from the virtual attribute condition. 

15 

2. The system of Claim 1 , further comprising indexing tables, each 
indexing table related to a real attribute and comprising an ordered list of 
attribute values with corresponding entry identifiers, the indexing tables being 
extendable to those of the real attributes which may be contained in the one or 

20 more second filter expressions. 

3. The system of Claim 2, wherein some of the indexing tables are 
cached. 
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. 4. The system of Claim 2, further comprising a filter execution function 
comprising: 

a real filter evaluation function capable of receiving a real-based filter 
expression based on a real attribute, for determining a corresponding set of 
5 entries; 

a virtual filter evaluation function capable of receiving a virtual-based 
filter expression based on a virtual attribute, for submitting the virtual-based filter 
expression to the resolving function as a first filter expression, and for 
subsequently submitting resulting second filter expressions to the real filter 
10 evaluation function; and 

a discriminator for determining whether a filter expression is a real-based 
one or a virtual-based one. 

5. The system of Claim 4, wherein the real filter evaluation function is 
15 arranged to determine the set of entries from an indexing table for the real 

attribute, if available. 

6. The system of Claim 4, further comprising a filter manager 
responsive to the receipt of a request comprising a filter expression, the filter 

20 manager for calling the filter execution function and evaluating the request in 
the set of entries determined by the filter execution function. 

7. The system of Claim 6, wherein the filter manager has a filter- 
dividing function capable of splitting an input filter expression into elementary 

25 filter expressions. 
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8. The system of Claim 7, wherein the filter-dividing function is operable 
to split a filter expression presented as an input of the filter execution function 
into elementary filter expressions for application to the filter execution function, 
and the filter execution function is arranged to combine the respective results in 

5 accordance with the combination of the elementary filter expressions in the 
input filter expression. 

9. The system of Claim 7, wherein the filter-dividing function is operable 
to split second filter expressions into elementary second filter expressions for 

10 application to the real filter evaluation function, and the filter execution function 
is arranged to combine the respective results in accordance with the 
combination of the second elementary filter expressions. 

10. The system of Claim 1 , wherein the first filter expression comprises 
15 an operator intervening between a virtual attribute name and a virtual attribute 

value. 

1 1 . The system of Claim 1 , wherein the virtual attribute is a role attribute 
related to a role entry in the tree structure and wherein the virtual attribute 

20 condition comprises a role membership condition, the resolving function being 
operable for converting a first expression comprising the virtual role attribute 
into a second filter expression based on the role membership condition. 

12. The system of Claim 1 1 , in which a user entry meets the role 
25 membership condition if it has a real attribute designating a role identifier 

attached to the role entry. 
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13. The system of Claim 12, in which the role entry contains a plurality of 
roles, wherein the resolving function is operable for repetitively receiving a filter 
expression comprising the role attribute with a value identifying individual ones, 
of such contained roles. 

5 , • " 

14. The system of Claim 11, in which a user entry meets the role 
membership condition if it meets a role filter condition that is attached to the role 
entry. 

10 15. The system of Claim 11, further comprising a filter execution function 

capable of determining a set of entries from the second filter expression, and of 
restricting that set of entries to those that verify the virtual attribute condition. 

16. The system of Claim 1 1 , in which the role entry has a scope in the 
15 tree structure, wherein the virtual attribute condition comprises a scope 

condition. 

17. A method of operating a directory server system that interacts with 
entries organized in a tree structure, each entry having attributes, the attributes 

20 comprising real attributes and virtual attributes, each real attribute having a < 
value stored in the entry and each virtual attribute being associated to an entry 
subject to a virtual attribute condition being verified, the virtual attribute 
condition being derived from data located elsewhere in the tree structure, the 
method comprising: 

25 receiving a first filter expression; and 

if the first filter expression is based on a virtual attribute, converting the 
first filter expression into one or more second filter expressions comprising real 
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attributes, the one or more second filter expressions being computed from the 
first filter expression and from the virtual attribute condition. 

18. The method of Claim 17, further comprising: 

constructing indexing tables, each related to a real attribute and having 
an ordered list of attribute values with corresponding entry identifiers, the 
indexing tables being extendable to those of the real attributes which may be 
contained in the second filter expressions. 

19. The method of Claim 18/ further comprising: 

if the first filter expression is based on a real attribute, determining a 
corresponding set of entries from an indexing table for the real attribute. 

20. The method of Claim 17, further comprising: 

determining whether the first filter expression is based on a virtual 
attribute or on a real attribute. 

21 . The method of Claim 17, further comprising: 

dividing the first filter expression into elementary first filter expressions; 
determining a first set of entries for the elementary first filter expressions; 

and 

combining the first set of entries according to the first filter expression. 

22. The method of Claim 17, further comprising: 

converting the first filter expression into a second filter expression based 
on real attributes; 
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dividing the second filter expression into elementary second filter 
expressions; 

determining a second set of entries for the elementary second filter 
expressions; and 

5 combining the second set of entries according to the second filter 

expression. 

23. The method of Claim 17, wherein the virtual attribute is a role 
attribute related to a role entry in the tree structure and wherein the virtual 
10 attribute condition comprises a role membership condition, the resolving 

function being operable for converting a first expression comprising the virtual 
role attribute into a second filter expression based on the role membership 
condition. 

15 24. A computer-usable medium having computer-readable program 

code embodied therein for causing a directory server system to perform a 
method of executing a filter function, the method comprising: 
receiving a first filter expression; and 

if the first filter expression is based on a virtual attribute, converting the 
20 first filter expression into one or more second filter expressions comprising real 
attributes, the one or more second filter expressions being computed from the 
first filter expression and from a virtual attribute condition, wherein the virtual 
attribute is a role attribute related to a role entry in a directory structure and 
wherein the virtual attribute condition comprises a role membership condition. 
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25. The computer-usable medium of Claim 24 wherein the computer- 
readable program code embodied therein causes the directory server system to 
perform the method further comprising^ 

constructing indexing tables, each related to a real attribute and having 
5 an ordered list of attribute values with corresponding entry identifiers, the 
indexing tables being extendable to those of the real attributes which may be 
contained in the second filter expressions. 

26. The computer-usable medium of Claim 25 wherein the computer- 

10 readable program code embodied therein causes the directory server system to 
perform the method further comprising: 

if the first filter expression is based on a real attribute, determining a 
corresponding set of entries from an indexing table for the real attribute. 

15 27. The computer-usable medium of Claim 24 wherein the computer- 

readable program code embodied therein causes the directory server system to 
perform the method further comprising: 

determining whether the first filter expression is based on a virtual 
attribute or on a real attribute. 

20 

28. The computer-usable medium of Claim 24 wherein the computer- 
readable program code embodied therein causes the directory server system to 
perform the method further comprising: 

dividing the first filter expression into elementary first filter expressions; 
25 determining a first set of entries for the elementary first filter expressions; 

and 

combining the first set of entries according to the first filter expression. 
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29. The computer-usable medium of Claim 24 wherein the computer- 
readable program code embodied therein causes the directory server system to 
perform the method further comprising: 
5 converting the first filter expression into a second filter expression based 

on real attributes; 

dividing the second filter expression into elementary second filter 
expressions; * 

determining a second set of entries for the elementary second filter 
10 expressions; and 

combining the second set of entries according to the second filter 
expression. 



SUN-P7646/ACM/WAZ 



44 



